This is the final article in my series on Enterprise Open Source Intelligence Gathering. This information relates to the main topics from my presentation that I am giving this week at the 7th Annual Ohio Information Security Summit. For more background information, see part one. If you missed part two (blogs, message boards and metadata) you can check that out here. This last article will be about putting together a simple monitoring program/toolkit and creating a social media policy for your company.

OSINT and Monitoring
After reading this series you are probably asking yourself…what do I do will all of these feeds and information that I have gathered? Much of the information you have found about your company may be pretty overwhelming and you might find there is a ton of noise to filter through to get to the “good stuff”. The next sections of this article will hopefully help you organize these feeds so you can begin a basic monitoring program.

What do you want to monitor?
This first thing you want to ask yourself…what do you want to monitor and what is most important? You probably have noticed that it would be difficult to monitor the entire Internet so focus on what is relevant to your company or business. Also, you want to pay particular attention to the areas of social media that your business has a presence on. For example, if your business has a Facebook page, LinkedIn group and Twitter account you should be paying special attention to these first. Why? These are the sites that you have most likely allowed certain employees to use this form of media for business purposes. Lastly, keep in mind that choosing what to monitor should be a group collaborative effort. Get your marketing and public relations people involved in the decision making process. As a bonus, it helps with making security everyone’s business.

Free tools to aggregate this information
Lets discuss briefly some tools to aggregate and monitor all the information sources you have decided as important. There are two tools that I will talk about. Yahoo! Pipes and RSS readers (specifically Google Reader).

1. Yahoo! Pipes
First, what is Yahoo! Pipes? The best description is probably found on the Yahoo! Pipes main page:

“Pipes is a powerful composition tool to aggregate, manipulate, and mashup content from around the web. Like Unix pipes, simple commands can be combined together to create output that meets your needs:

– combine many feeds into one, then sort, filter and translate it.
– geocode your favorite feeds and browse the items on an interactive map.
– grab the output of any Pipes as RSS, JSON, KML, and other formats.

The great thing about pipes is that there are already many different mashups that have already been created! If you find one that doesn’t do what you like it to…you can simply copy a pipe, modify it and use it as your own. Creating a pipe is really easy as well. Yahoo! provides good documentation on their site even with video tutorials if you are lost. Everything is done in a neat visual “drop-n-drag” GUI environment. For example, you could take some of the sites that you find a bit more difficult to monitor, configure them in a pipe and send the output to RSS. Once you have an RSS feed you can plug this into a RSS reader (like Google Reader) for monitoring. Here are a few of my favorite pipes (pre-built) that can be used for monitoring:

2. Google Reader or your favorite RSS reader
The second part of your monitoring toolkit is to put your Yahoo! Pipe RSS feeds and the other feeds you determined as important and put them into the RSS reader of your choice. I personally like Google Reader because it’s easy to use and manage. However, you may prefer a desktop client or some other type of reader…all up to you.

What’s easy and works best?
First, assign someone to look at the information you are monitoring. This should be someone in your information security department and someone with social media skill sets. Next, create RSS Feeds from identified sites and utilize Yahoo! Pipes to customize and filter out content if you need to. Finally, plug these feeds into your RSS reader and set up procedures for monitoring. When will you check these feeds? What happens if the monitoring person is out? Is there a backup for this person? These are just a few of the things you need to think about when putting together these procedures. There may be many more (or less) depending on your business. Lastly, for sites you can’t monitor automatically determine manual methods and be sure to build procedures around them.

What is the company social media strategy? Do you even have one?
The first thing you need to do before you create policies or standards around what employees can or can’t do on social media/networking sites (related to your business), is to define a social media strategy. Without a strategy defined it would be nearly impossible to determine a monitoring program without knowing what areas of social media your business is going to participate in. This is a very important step and is something that your marketing/public relations/HR departments need to determine before security gets involved.

Internet postings or the “social media” policy
What if you have policies for Internet usage already in your company? If you do, have you checked to see if they include specific things like social networks? How about commenting on company news or issues on public social networks? This is an area where many of the “standard” Infosec or HR policies don’t cover or don’t mention procedures about how employees use this new world of social media. The other important part is that you need to partner with marketing/public relations/HR to collaborate on this policy. The design and creation needs to have input from all of these areas of the business, especially these groups because they are going to be the main drivers for the use of social media. Lastly, what is acceptable for employees to post? Keep in mind that employees have Internet access *everywhere* nowadays. iPhones, smartphones, Google phones…employees have these and guess what? They are most likely using them at work. How do you know that they are not commenting about company confidential business? With this new generation of devices…the line between personal and company business will continue to blur. Oh, and this is just one simple example!

Examples of good policies to reference
So where do you go from here? Create the policy! The last part of this article has examples of good policies that you can reference when creating your own policies. There is lots of good information in the following links and you can customize these for your own environment and business situation:

Remember, monitoring the use of social media and creating policies around them is new and potentially uncharted territory for many organizations. Hopefully with this series (and the related presentation) will help guide you and your organization to make the right decisions on finding information about your company, creating a monitoring program and working with your business partners to create the right policies for your business.